tests: use permission profiles in unified exec suite

core: use permission profiles in small read-only contexts
exec tests: launch sandbox cases from permission profiles
2026-05-15 02:31:14 +03:00 · 2026-04-30 03:01:06 -07:00 · 2026-04-30 03:01:06 -07:00 · 2026-04-30 02:36:30 -07:00 · 2026-04-30 02:36:30 -07:00 · 2026-04-30 02:36:30 -07:00
15 changed files with 195 additions and 201 deletions
--- a/codex-rs/analytics/src/analytics_client_tests.rs
+++ b/codex-rs/analytics/src/analytics_client_tests.rs
@@ -98,7 +98,6 @@ use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::HookEventName;
 use codex_protocol::protocol::HookRunStatus;
 use codex_protocol::protocol::HookSource;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::SessionSource;
 use codex_protocol::protocol::SubAgentSource;
 use codex_protocol::protocol::TokenUsage;
@@ -313,9 +312,7 @@ fn sample_turn_resolved_config(turn_id: &str) -> TurnResolvedConfigFact {
        session_source: SessionSource::Exec,
        model: "gpt-5".to_string(),
        model_provider: "openai".to_string(),
-        permission_profile: CorePermissionProfile::from_legacy_sandbox_policy(
-            &SandboxPolicy::new_read_only_policy(),
-        ),
+        permission_profile: CorePermissionProfile::read_only(),
        permission_profile_cwd: PathBuf::from("/tmp"),
        reasoning_effort: None,
        reasoning_summary: None,
--- a/codex-rs/analytics/src/reducer.rs
+++ b/codex-rs/analytics/src/reducer.rs
@@ -979,7 +979,7 @@ fn sandbox_policy_mode(permission_profile: &PermissionProfile, cwd: &Path) -> &'
                if permission_profile.network_sandbox_policy().is_enabled() {
                    "full_access"
                } else {
-                    "external_sandbox"
+                    "custom_permissions"
                }
            } else if file_system_policy
                .get_writable_roots_with_cwd(cwd)
@@ -1089,7 +1089,7 @@ mod tests {
    use codex_protocol::permissions::NetworkSandboxPolicy;

    #[test]
-    fn managed_full_disk_with_restricted_network_reports_external_sandbox() {
+    fn managed_full_disk_with_restricted_network_reports_custom_permissions() {
        let permission_profile = PermissionProfile::from_runtime_permissions_with_enforcement(
            SandboxEnforcement::Managed,
            &FileSystemSandboxPolicy::unrestricted(),
@@ -1098,7 +1098,7 @@ mod tests {

        assert_eq!(
            sandbox_policy_mode(&permission_profile, Path::new("/")),
-            "external_sandbox"
+            "custom_permissions"
        );
    }
 }
--- a/codex-rs/core/src/agent/role_tests.rs
+++ b/codex-rs/core/src/agent/role_tests.rs
@@ -512,7 +512,8 @@ model_reasoning_effort = "high"
 #[tokio::test]
 #[cfg(not(windows))]
 async fn apply_role_does_not_materialize_default_sandbox_workspace_write_fields() {
-    use codex_protocol::protocol::SandboxPolicy;
+    use codex_protocol::permissions::NetworkSandboxPolicy;
+
    let (home, mut config) = test_config_with_cli_overrides(vec![
        (
            "sandbox_mode".to_string(),
@@ -574,12 +575,13 @@ writable_roots = ["./sandbox-root"]
        false
    );

-    match &config.legacy_sandbox_policy() {
-        SandboxPolicy::WorkspaceWrite { network_access, .. } => {
-            assert_eq!(*network_access, true);
-        }
-        other => panic!("expected workspace-write sandbox policy, got {other:?}"),
-    }
+    assert_eq!(
+        config
+            .permissions
+            .permission_profile()
+            .network_sandbox_policy(),
+        NetworkSandboxPolicy::Enabled,
+    );
 }

 #[tokio::test]
--- a/codex-rs/core/src/context_manager/history_tests.rs
+++ b/codex-rs/core/src/context_manager/history_tests.rs
@@ -13,13 +13,13 @@ use codex_protocol::models::ImageDetail;
 use codex_protocol::models::LocalShellAction;
 use codex_protocol::models::LocalShellExecAction;
 use codex_protocol::models::LocalShellStatus;
+use codex_protocol::models::PermissionProfile;
 use codex_protocol::models::ReasoningItemContent;
 use codex_protocol::models::ReasoningItemReasoningSummary;
 use codex_protocol::openai_models::InputModality;
 use codex_protocol::openai_models::default_input_modalities;
 use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::InterAgentCommunication;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::TurnContextItem;
 use codex_utils_output_truncation::TruncationPolicy;
 use codex_utils_output_truncation::truncate_text;
@@ -119,15 +119,21 @@ fn developer_msg_with_fragments(texts: &[&str]) -> ResponseItem {
 }

 fn reference_context_item() -> TurnContextItem {
+    let cwd = PathBuf::from("/tmp/reference-cwd");
+    let permission_profile = PermissionProfile::read_only();
+    let sandbox_policy = permission_profile
+        .to_legacy_sandbox_policy(cwd.as_path())
+        .expect("read-only permission profile should have a legacy projection");
+
    TurnContextItem {
        turn_id: Some("reference-turn".to_string()),
        trace_id: None,
-        cwd: PathBuf::from("/tmp/reference-cwd"),
+        cwd,
        current_date: Some("2026-03-23".to_string()),
        timezone: Some("America/Los_Angeles".to_string()),
        approval_policy: AskForApproval::OnRequest,
-        sandbox_policy: SandboxPolicy::new_read_only_policy(),
-        permission_profile: None,
+        sandbox_policy,
+        permission_profile: Some(permission_profile),
        network: None,
        file_system_sandbox_policy: None,
        model: "gpt-test".to_string(),
--- a/codex-rs/core/src/guardian/review_session.rs
+++ b/codex-rs/core/src/guardian/review_session.rs
@@ -18,7 +18,6 @@ use codex_protocol::protocol::EventMsg;
 use codex_protocol::protocol::InitialHistory;
 use codex_protocol::protocol::Op;
 use codex_protocol::protocol::RolloutItem;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::SubAgentSource;
 use codex_protocol::protocol::TokenUsage;
 use serde_json::Value;
@@ -703,6 +702,19 @@ async fn run_review_on_session(
        .await
        .unwrap_or_default();

+    let permission_profile = PermissionProfile::read_only();
+    let sandbox_policy =
+        match permission_profile.to_legacy_sandbox_policy(params.parent_turn.cwd.as_path()) {
+            Ok(sandbox_policy) => sandbox_policy,
+            Err(err) => {
+                return (
+                    GuardianReviewSessionOutcome::SessionFailed(err.into()),
+                    false,
+                    analytics_result,
+                );
+            }
+        };
+
    let submit_result = run_before_review_deadline(
        deadline,
        params.external_cancel.as_ref(),
@@ -712,8 +724,8 @@ async fn run_review_on_session(
            cwd: params.parent_turn.cwd.to_path_buf(),
            approval_policy: AskForApproval::Never,
            approvals_reviewer: None,
-            sandbox_policy: SandboxPolicy::new_read_only_policy(),
-            permission_profile: None,
+            sandbox_policy,
+            permission_profile: Some(permission_profile),
            model: params.model.clone(),
            effort: params.reasoning_effort,
            summary: Some(params.reasoning_summary),
@@ -896,15 +908,14 @@ pub(crate) fn build_guardian_review_session_config(
    );
    guardian_config.developer_instructions = None;
    guardian_config.permissions.approval_policy = Constrained::allow_only(AskForApproval::Never);
-    let sandbox_policy = SandboxPolicy::new_read_only_policy();
-    guardian_config.permissions.permission_profile = Constrained::allow_only(
-        PermissionProfile::from_legacy_sandbox_policy(&sandbox_policy),
-    );
+    let permission_profile = PermissionProfile::read_only();
+    guardian_config.permissions.permission_profile =
+        Constrained::allow_only(permission_profile.clone());
    guardian_config
        .permissions
-        .set_legacy_sandbox_policy(sandbox_policy, guardian_config.cwd.as_path())
+        .set_permission_profile(permission_profile)
        .map_err(|err| {
-            anyhow::anyhow!("guardian review session could not set sandbox policy: {err}")
+            anyhow::anyhow!("guardian review session could not set permission profile: {err}")
        })?;
    guardian_config.include_apps_instructions = false;
    guardian_config
--- a/codex-rs/core/src/guardian/tests.rs
+++ b/codex-rs/core/src/guardian/tests.rs
@@ -38,7 +38,6 @@ use codex_protocol::protocol::GuardianRiskLevel;
 use codex_protocol::protocol::GuardianUserAuthorization;
 use codex_protocol::protocol::ReviewDecision;
 use codex_protocol::protocol::RolloutItem;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::TurnCompleteEvent;
 use core_test_support::PathBufExt;
 use core_test_support::TempDirExt;
@@ -2168,9 +2167,7 @@ async fn guardian_review_session_config_preserves_parent_network_proxy() {
    );
    assert_eq!(
        guardian_config.permissions.permission_profile,
-        Constrained::allow_only(PermissionProfile::from_legacy_sandbox_policy(
-            &SandboxPolicy::new_read_only_policy(),
-        ))
+        Constrained::allow_only(PermissionProfile::read_only())
    );
 }

@@ -2232,9 +2229,7 @@ async fn guardian_review_session_config_uses_live_network_proxy_state() {
            NetworkProxySpec::from_config_and_constraints(
                live_network,
                /*requirements*/ None,
-                &PermissionProfile::from_legacy_sandbox_policy(
-                    &SandboxPolicy::new_read_only_policy(),
-                ),
+                &PermissionProfile::read_only(),
            )
            .expect("live network proxy spec")
        )
--- a/codex-rs/core/src/realtime_context_tests.rs
+++ b/codex-rs/core/src/realtime_context_tests.rs
@@ -13,10 +13,10 @@ use chrono::Utc;
 use codex_git_utils::GitSha;
 use codex_protocol::ThreadId;
 use codex_protocol::models::ContentItem;
+use codex_protocol::models::PermissionProfile;
 use codex_protocol::models::ResponseItem;
 use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::GitInfo;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::SessionSource;
 use codex_thread_store::StoredThread;
 use core_test_support::PathBufExt;
@@ -28,6 +28,8 @@ use std::process::Command;
 use tempfile::TempDir;

 fn stored_thread(cwd: &str, title: &str, first_user_message: &str) -> StoredThread {
+    let permission_profile = PermissionProfile::read_only();
+
    StoredThread {
        thread_id: ThreadId::new(),
        rollout_path: Some(PathBuf::from("/tmp/rollout.jsonl")),
@@ -58,7 +60,9 @@ fn stored_thread(cwd: &str, title: &str, first_user_message: &str) -> StoredThre
            repository_url: None,
        }),
        approval_mode: AskForApproval::Never,
-        sandbox_policy: SandboxPolicy::new_read_only_policy(),
+        sandbox_policy: permission_profile
+            .to_legacy_sandbox_policy(std::path::Path::new(cwd))
+            .expect("read-only permission profile should have a legacy projection"),
        token_usage: None,
        first_user_message: Some(first_user_message.to_string()),
        history: None,
--- a/codex-rs/core/src/tools/runtimes/shell/unix_escalation_tests.rs
+++ b/codex-rs/core/src/tools/runtimes/shell/unix_escalation_tests.rs
@@ -28,7 +28,6 @@ use codex_protocol::permissions::NetworkSandboxPolicy;
 use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::GranularApprovalConfig;
 use codex_protocol::protocol::GuardianCommandSource;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_sandboxing::SandboxType;
 use codex_shell_escalation::EscalationExecution;
 use codex_shell_escalation::EscalationPermissions;
@@ -67,10 +66,6 @@ fn read_only_file_system_sandbox_policy() -> FileSystemSandboxPolicy {
    }])
 }

-fn permission_profile_from_sandbox_policy(sandbox_policy: &SandboxPolicy) -> PermissionProfile {
-    PermissionProfile::from_legacy_sandbox_policy(sandbox_policy)
-}
-
 fn test_sandbox_cwd() -> AbsolutePathBuf {
    AbsolutePathBuf::try_from(host_absolute_path(&["workspace"])).unwrap()
 }
@@ -406,9 +401,7 @@ async fn execve_permission_request_hook_short_circuits_prompt() -> anyhow::Resul
        call_id: "execve-hook-call".to_string(),
        tool_name: GuardianCommandSource::Shell,
        approval_policy: AskForApproval::OnRequest,
-        permission_profile: permission_profile_from_sandbox_policy(
-            &SandboxPolicy::new_read_only_policy(),
-        ),
+        permission_profile: PermissionProfile::read_only(),
        file_system_sandbox_policy: read_only_file_system_sandbox_policy(),
        sandbox_policy_cwd: workdir.clone(),
        sandbox_permissions: SandboxPermissions::RequireEscalated,
@@ -475,9 +468,7 @@ fn evaluate_intercepted_exec_policy_uses_wrapper_command_when_shell_wrapper_pars
        ],
        InterceptedExecPolicyContext {
            approval_policy: AskForApproval::OnRequest,
-            permission_profile: permission_profile_from_sandbox_policy(
-                &SandboxPolicy::new_read_only_policy(),
-            ),
+            permission_profile: PermissionProfile::read_only(),
            file_system_sandbox_policy: &read_only_file_system_sandbox_policy(),
            sandbox_cwd: sandbox_cwd.as_path(),
            sandbox_permissions: SandboxPermissions::UseDefault,
@@ -530,9 +521,7 @@ fn evaluate_intercepted_exec_policy_matches_inner_shell_commands_when_enabled()
        ],
        InterceptedExecPolicyContext {
            approval_policy: AskForApproval::OnRequest,
-            permission_profile: permission_profile_from_sandbox_policy(
-                &SandboxPolicy::new_read_only_policy(),
-            ),
+            permission_profile: PermissionProfile::read_only(),
            file_system_sandbox_policy: &read_only_file_system_sandbox_policy(),
            sandbox_cwd: sandbox_cwd.as_path(),
            sandbox_permissions: SandboxPermissions::UseDefault,
@@ -576,9 +565,7 @@ host_executable(name = "git", paths = ["{git_path_literal}"])
        &["git".to_string(), "status".to_string()],
        InterceptedExecPolicyContext {
            approval_policy: AskForApproval::OnRequest,
-            permission_profile: permission_profile_from_sandbox_policy(
-                &SandboxPolicy::new_read_only_policy(),
-            ),
+            permission_profile: PermissionProfile::read_only(),
            file_system_sandbox_policy: &read_only_file_system_sandbox_policy(),
            sandbox_cwd: sandbox_cwd.as_path(),
            sandbox_permissions: SandboxPermissions::UseDefault,
@@ -610,7 +597,7 @@ fn intercepted_exec_policy_treats_preapproved_additional_permissions_as_default(
    let program = AbsolutePathBuf::try_from(host_absolute_path(&["usr", "bin", "printf"])).unwrap();
    let argv = ["printf".to_string(), "hello".to_string()];
    let approval_policy = AskForApproval::OnRequest;
-    let sandbox_policy = SandboxPolicy::new_workspace_write_policy();
+    let permission_profile = PermissionProfile::workspace_write();
    let file_system_sandbox_policy = read_only_file_system_sandbox_policy();
    let sandbox_cwd = test_sandbox_cwd();

@@ -620,7 +607,7 @@ fn intercepted_exec_policy_treats_preapproved_additional_permissions_as_default(
        &argv,
        InterceptedExecPolicyContext {
            approval_policy,
-            permission_profile: permission_profile_from_sandbox_policy(&sandbox_policy),
+            permission_profile: permission_profile.clone(),
            file_system_sandbox_policy: &file_system_sandbox_policy,
            sandbox_cwd: sandbox_cwd.as_path(),
            sandbox_permissions: super::approval_sandbox_permissions(
@@ -636,7 +623,7 @@ fn intercepted_exec_policy_treats_preapproved_additional_permissions_as_default(
        &argv,
        InterceptedExecPolicyContext {
            approval_policy,
-            permission_profile: permission_profile_from_sandbox_policy(&sandbox_policy),
+            permission_profile,
            file_system_sandbox_policy: &file_system_sandbox_policy,
            sandbox_cwd: sandbox_cwd.as_path(),
            sandbox_permissions: SandboxPermissions::WithAdditionalPermissions,
@@ -671,9 +658,7 @@ host_executable(name = "git", paths = ["{allowed_git_literal}"])
        &["git".to_string(), "status".to_string()],
        InterceptedExecPolicyContext {
            approval_policy: AskForApproval::OnRequest,
-            permission_profile: permission_profile_from_sandbox_policy(
-                &SandboxPolicy::new_read_only_policy(),
-            ),
+            permission_profile: PermissionProfile::read_only(),
            file_system_sandbox_policy: &read_only_file_system_sandbox_policy(),
            sandbox_cwd: sandbox_cwd.as_path(),
            sandbox_permissions: SandboxPermissions::UseDefault,
--- a/codex-rs/core/src/unified_exec/process_manager_tests.rs
+++ b/codex-rs/core/src/unified_exec/process_manager_tests.rs
@@ -71,16 +71,9 @@ fn exec_server_params_use_env_policy_overlay_contract() {
        .expect("current dir")
        .try_into()
        .expect("absolute path");
-    let sandbox_policy = codex_protocol::protocol::SandboxPolicy::DangerFullAccess;
-    let file_system_sandbox_policy =
-        codex_protocol::permissions::FileSystemSandboxPolicy::from(&sandbox_policy);
+    let permission_profile = codex_protocol::models::PermissionProfile::Disabled;
+    let file_system_sandbox_policy = permission_profile.file_system_sandbox_policy();
    let network_sandbox_policy = codex_protocol::permissions::NetworkSandboxPolicy::Restricted;
-    let permission_profile =
-        codex_protocol::models::PermissionProfile::from_runtime_permissions_with_enforcement(
-            codex_protocol::models::SandboxEnforcement::from_legacy_sandbox_policy(&sandbox_policy),
-            &file_system_sandbox_policy,
-            network_sandbox_policy,
-        );
    let request = ExecRequest {
        command: vec!["bash".to_string(), "-lc".to_string(), "true".to_string()],
        cwd: cwd.clone(),
--- a/codex-rs/core/tests/suite/apply_patch_cli.rs
+++ b/codex-rs/core/tests/suite/apply_patch_cli.rs
@@ -18,7 +18,6 @@ use codex_protocol::permissions::NetworkSandboxPolicy;
 use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::EventMsg;
 use codex_protocol::protocol::Op;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::user_input::UserInput;
 #[cfg(target_os = "linux")]
 use codex_sandboxing::landlock::CODEX_LINUX_SANDBOX_ARG0;
@@ -36,6 +35,7 @@ use core_test_support::skip_if_remote;
 use core_test_support::test_codex::TestCodexBuilder;
 use core_test_support::test_codex::TestCodexHarness;
 use core_test_support::test_codex::test_codex;
+use core_test_support::test_codex::turn_permission_fields;
 use core_test_support::wait_for_event;
 use core_test_support::wait_for_event_with_timeout;
 use serde_json::json;
@@ -64,6 +64,8 @@ async fn apply_patch_harness_with(
 async fn submit_without_wait(harness: &TestCodexHarness, prompt: &str) -> Result<()> {
    let test = harness.test();
    let session_model = test.session_configured.model.clone();
+    let (sandbox_policy, permission_profile) =
+        turn_permission_fields(PermissionProfile::Disabled, harness.cwd());
    test.codex
        .submit(Op::UserTurn {
            environments: None,
@@ -75,8 +77,8 @@ async fn submit_without_wait(harness: &TestCodexHarness, prompt: &str) -> Result
            cwd: harness.cwd().to_path_buf(),
            approval_policy: AskForApproval::Never,
            approvals_reviewer: None,
-            sandbox_policy: SandboxPolicy::DangerFullAccess,
-            permission_profile: None,
+            sandbox_policy,
+            permission_profile,
            model: session_model,
            effort: None,
            summary: None,
--- a/codex-rs/core/tests/suite/hooks.rs
+++ b/codex-rs/core/tests/suite/hooks.rs
@@ -1943,9 +1943,9 @@ print(json.dumps({{
        fs::remove_file(&marker).context("remove leftover plugin pre tool use marker")?;
    }

-    test.submit_turn_with_policy(
+    test.submit_turn_with_permission_profile(
        "run the shell command blocked by a plugin hook",
-        codex_protocol::protocol::SandboxPolicy::DangerFullAccess,
+        PermissionProfile::Disabled,
    )
    .await?;

--- a/codex-rs/core/tests/suite/unified_exec.rs
+++ b/codex-rs/core/tests/suite/unified_exec.rs
@@ -14,7 +14,6 @@ use codex_protocol::protocol::EventMsg;
 use codex_protocol::protocol::ExecCommandSource;
 use codex_protocol::protocol::ExecCommandStatus;
 use codex_protocol::protocol::Op;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::user_input::UserInput;
 use core_test_support::assert_regex_match;
 use core_test_support::process::process_is_alive;
@@ -33,6 +32,7 @@ use core_test_support::skip_if_windows;
 use core_test_support::test_codex::TestCodex;
 use core_test_support::test_codex::TestCodexHarness;
 use core_test_support::test_codex::test_codex;
+use core_test_support::test_codex::turn_permission_fields;
 use core_test_support::wait_for_event;
 use core_test_support::wait_for_event_match;
 use core_test_support::wait_for_event_with_timeout;
@@ -183,9 +183,11 @@ async fn wait_for_raw_unified_exec_output(
 async fn submit_unified_exec_turn(
    test: &TestCodex,
    prompt: &str,
-    sandbox_policy: SandboxPolicy,
+    permission_profile: PermissionProfile,
 ) -> Result<()> {
    let session_model = test.session_configured.model.clone();
+    let (sandbox_policy, permission_profile) =
+        turn_permission_fields(permission_profile, test.config.cwd.as_path());

    test.codex
        .submit(Op::UserTurn {
@@ -199,7 +201,7 @@ async fn submit_unified_exec_turn(
            approval_policy: AskForApproval::Never,
            approvals_reviewer: None,
            sandbox_policy,
-            permission_profile: None,
+            permission_profile,
            model: session_model,
            effort: None,
            summary: None,
@@ -271,6 +273,8 @@ async fn unified_exec_intercepts_apply_patch_exec_command() -> Result<()> {
    let codex = test.codex.clone();
    let cwd = test.cwd_path().to_path_buf();
    let session_model = test.session_configured.model.clone();
+    let (sandbox_policy, permission_profile) =
+        turn_permission_fields(PermissionProfile::Disabled, cwd.as_path());

    codex
        .submit(Op::UserTurn {
@@ -283,8 +287,8 @@ async fn unified_exec_intercepts_apply_patch_exec_command() -> Result<()> {
            cwd,
            approval_policy: AskForApproval::Never,
            approvals_reviewer: None,
-            sandbox_policy: SandboxPolicy::DangerFullAccess,
-            permission_profile: None,
+            sandbox_policy,
+            permission_profile,
            model: session_model,
            effort: None,
            summary: None,
@@ -402,7 +406,7 @@ async fn unified_exec_emits_exec_command_begin_event() -> Result<()> {
    ];
    mount_sse_sequence(&server, responses).await;

-    submit_unified_exec_turn(&test, "emit begin event", SandboxPolicy::DangerFullAccess).await?;
+    submit_unified_exec_turn(&test, "emit begin event", PermissionProfile::Disabled).await?;

    let begin_event = wait_for_event_match(&test.codex, |msg| match msg {
        EventMsg::ExecCommandBegin(event) if event.call_id == call_id => Some(event.clone()),
@@ -466,7 +470,7 @@ async fn unified_exec_resolves_relative_workdir() -> Result<()> {
    submit_unified_exec_turn(
        &test,
        "run relative workdir test",
-        SandboxPolicy::DangerFullAccess,
+        PermissionProfile::Disabled,
    )
    .await?;

@@ -531,7 +535,7 @@ async fn unified_exec_respects_workdir_override() -> Result<()> {
    ];
    let request_log = mount_sse_sequence(&server, responses).await;

-    submit_unified_exec_turn(&test, "run workdir test", SandboxPolicy::DangerFullAccess).await?;
+    submit_unified_exec_turn(&test, "run workdir test", PermissionProfile::Disabled).await?;

    let begin_event = wait_for_event_match(&test.codex, |msg| match msg {
        EventMsg::ExecCommandBegin(event) if event.call_id == call_id => Some(event.clone()),
@@ -608,7 +612,7 @@ async fn unified_exec_emits_exec_command_end_event() -> Result<()> {
    ];
    mount_sse_sequence(&server, responses).await;

-    submit_unified_exec_turn(&test, "emit end event", SandboxPolicy::DangerFullAccess).await?;
+    submit_unified_exec_turn(&test, "emit end event", PermissionProfile::Disabled).await?;

    let end_event = wait_for_event_match(&test.codex, |msg| match msg {
        EventMsg::ExecCommandEnd(ev) if ev.call_id == call_id => Some(ev.clone()),
@@ -666,7 +670,7 @@ async fn unified_exec_emits_output_delta_for_exec_command() -> Result<()> {
    ];
    mount_sse_sequence(&server, responses).await;

-    submit_unified_exec_turn(&test, "emit delta", SandboxPolicy::DangerFullAccess).await?;
+    submit_unified_exec_turn(&test, "emit delta", PermissionProfile::Disabled).await?;

    let event = wait_for_event_match(&test.codex, |msg| match msg {
        EventMsg::ExecCommandEnd(ev) if ev.call_id == call_id => Some(ev.clone()),
@@ -728,7 +732,7 @@ async fn unified_exec_full_lifecycle_with_background_end_event() -> Result<()> {
    submit_unified_exec_turn(
        &test,
        "exercise full unified exec lifecycle",
-        SandboxPolicy::DangerFullAccess,
+        PermissionProfile::Disabled,
    )
    .await?;

@@ -871,7 +875,7 @@ async fn unified_exec_short_lived_network_denial_emits_failed_end_event() -> Res
 #[allow(clippy::expect_used)]
 async fn unified_exec_network_denial_test(
    server: &wiremock::MockServer,
-) -> Result<(TestCodex, SandboxPolicy)> {
+) -> Result<(TestCodex, PermissionProfile)> {
    use codex_config::ConfigLayerStack;
    use codex_config::ConfigLayerStackOrdering;
    use codex_config::Constrained;
@@ -879,6 +883,7 @@ async fn unified_exec_network_denial_test(
    use codex_config::NetworkRequirementsToml;
    use codex_config::RequirementSource;
    use codex_config::Sourced;
+    use codex_protocol::permissions::NetworkSandboxPolicy;
    use std::sync::Arc;
    use tempfile::TempDir;

@@ -896,11 +901,13 @@ mode = "limited"
 allow_local_binding = true
 "#,
    )?;
-    let mut sandbox_policy = SandboxPolicy::new_workspace_write_policy();
-    if let SandboxPolicy::WorkspaceWrite { network_access, .. } = &mut sandbox_policy {
-        *network_access = true;
-    }
-    let sandbox_policy_for_config = sandbox_policy.clone();
+    let permission_profile = PermissionProfile::workspace_write_with(
+        &[],
+        NetworkSandboxPolicy::Enabled,
+        /*exclude_tmpdir_env_var*/ false,
+        /*exclude_slash_tmp*/ false,
+    );
+    let permission_profile_for_config = permission_profile.clone();
    let mut builder = test_codex().with_home(home).with_config(move |config| {
        config.use_experimental_unified_exec_tool = true;
        config
@@ -908,9 +915,8 @@ allow_local_binding = true
            .enable(Feature::UnifiedExec)
            .expect("test config should allow feature update");
        config.permissions.approval_policy = Constrained::allow_any(AskForApproval::Never);
-        config.permissions.permission_profile = Constrained::allow_any(
-            PermissionProfile::from_legacy_sandbox_policy(&sandbox_policy_for_config),
-        );
+        config.permissions.permission_profile =
+            Constrained::allow_any(permission_profile_for_config);
        let layers = config
            .config_layer_stack
            .get_layers(
@@ -947,7 +953,7 @@ allow_local_binding = true
        "expected managed network proxy config to be present"
    );

-    Ok((test, sandbox_policy))
+    Ok((test, permission_profile))
 }

 async fn mount_unified_exec_network_denial_responses(
@@ -1065,7 +1071,7 @@ async fn unified_exec_emits_terminal_interaction_for_write_stdin() -> Result<()>
    ];
    mount_sse_sequence(&server, responses).await;

-    submit_unified_exec_turn(&test, "stdin delta", SandboxPolicy::DangerFullAccess).await?;
+    submit_unified_exec_turn(&test, "stdin delta", PermissionProfile::Disabled).await?;

    let mut terminal_interaction = None;

@@ -1185,7 +1191,7 @@ async fn unified_exec_terminal_interaction_captures_delayed_output() -> Result<(
    submit_unified_exec_turn(
        &test,
        "delayed terminal interaction output",
-        SandboxPolicy::DangerFullAccess,
+        PermissionProfile::Disabled,
    )
    .await?;

@@ -1330,7 +1336,7 @@ async fn unified_exec_emits_one_begin_and_one_end_event() -> Result<()> {
    submit_unified_exec_turn(
        &test,
        "check poll event behavior",
-        SandboxPolicy::DangerFullAccess,
+        PermissionProfile::Disabled,
    )
    .await?;

@@ -1420,7 +1426,7 @@ async fn exec_command_reports_chunk_and_exit_metadata() -> Result<()> {
    ];
    let request_log = mount_sse_sequence(&server, responses).await;

-    submit_unified_exec_turn(&test, "run metadata test", SandboxPolicy::DangerFullAccess).await?;
+    submit_unified_exec_turn(&test, "run metadata test", PermissionProfile::Disabled).await?;

    wait_for_event(&test.codex, |event| {
        matches!(event, EventMsg::TurnComplete(_))
@@ -1519,7 +1525,7 @@ async fn exec_command_clamps_model_requested_max_output_tokens_to_policy() -> Re
    submit_unified_exec_turn(
        &test,
        "run clamped max output test",
-        SandboxPolicy::DangerFullAccess,
+        PermissionProfile::Disabled,
    )
    .await?;

@@ -1602,7 +1608,7 @@ async fn write_stdin_clamps_model_requested_max_output_tokens_to_policy() -> Res
    submit_unified_exec_turn(
        &test,
        "run clamped write_stdin output test",
-        SandboxPolicy::DangerFullAccess,
+        PermissionProfile::Disabled,
    )
    .await?;

@@ -1667,7 +1673,7 @@ async fn unified_exec_defaults_to_pipe() -> Result<()> {
    submit_unified_exec_turn(
        &test,
        "check default pipe mode",
-        SandboxPolicy::DangerFullAccess,
+        PermissionProfile::Disabled,
    )
    .await?;

@@ -1734,7 +1740,7 @@ async fn unified_exec_can_enable_tty() -> Result<()> {
    ];
    let request_log = mount_sse_sequence(&server, responses).await;

-    submit_unified_exec_turn(&test, "check tty enabled", SandboxPolicy::DangerFullAccess).await?;
+    submit_unified_exec_turn(&test, "check tty enabled", PermissionProfile::Disabled).await?;

    wait_for_event(&test.codex, |event| {
        matches!(event, EventMsg::TurnComplete(_))
@@ -1801,7 +1807,7 @@ async fn unified_exec_respects_early_exit_notifications() -> Result<()> {
    submit_unified_exec_turn(
        &test,
        "watch early exit timing",
-        SandboxPolicy::DangerFullAccess,
+        PermissionProfile::Disabled,
    )
    .await?;

@@ -1920,7 +1926,7 @@ async fn write_stdin_returns_exit_metadata_and_clears_session() -> Result<()> {
    submit_unified_exec_turn(
        &test,
        "test write_stdin exit behavior",
-        SandboxPolicy::DangerFullAccess,
+        PermissionProfile::Disabled,
    )
    .await?;

@@ -2073,7 +2079,7 @@ async fn unified_exec_emits_end_event_when_session_dies_via_stdin() -> Result<()
    ];
    mount_sse_sequence(&server, responses).await;

-    submit_unified_exec_turn(&test, "end on exit", SandboxPolicy::DangerFullAccess).await?;
+    submit_unified_exec_turn(&test, "end on exit", PermissionProfile::Disabled).await?;

    // We expect the ExecCommandEnd event to match the initial exec_command call_id.
    let end_event = wait_for_event_match(&test.codex, |msg| match msg {
@@ -2139,6 +2145,8 @@ async fn unified_exec_keeps_long_running_session_after_turn_end() -> Result<()>
    mount_sse_sequence(&server, responses).await;

    let session_model = session_configured.model.clone();
+    let (sandbox_policy, permission_profile) =
+        turn_permission_fields(PermissionProfile::Disabled, cwd.path());

    codex
        .submit(Op::UserTurn {
@@ -2151,8 +2159,8 @@ async fn unified_exec_keeps_long_running_session_after_turn_end() -> Result<()>
            cwd: cwd.path().to_path_buf(),
            approval_policy: AskForApproval::Never,
            approvals_reviewer: None,
-            sandbox_policy: SandboxPolicy::DangerFullAccess,
-            permission_profile: None,
+            sandbox_policy,
+            permission_profile,
            model: session_model,
            effort: None,
            summary: None,
@@ -2234,6 +2242,8 @@ async fn unified_exec_interrupt_preserves_long_running_session() -> Result<()> {
    mount_sse_sequence(&server, responses).await;

    let session_model = session_configured.model.clone();
+    let (sandbox_policy, permission_profile) =
+        turn_permission_fields(PermissionProfile::Disabled, cwd.path());

    codex
        .submit(Op::UserTurn {
@@ -2246,8 +2256,8 @@ async fn unified_exec_interrupt_preserves_long_running_session() -> Result<()> {
            cwd: cwd.path().to_path_buf(),
            approval_policy: AskForApproval::Never,
            approvals_reviewer: None,
-            sandbox_policy: SandboxPolicy::DangerFullAccess,
-            permission_profile: None,
+            sandbox_policy,
+            permission_profile,
            model: session_model,
            effort: None,
            summary: None,
@@ -2339,7 +2349,7 @@ async fn unified_exec_reuses_session_via_stdin() -> Result<()> {
    ];
    let request_log = mount_sse_sequence(&server, responses).await;

-    submit_unified_exec_turn(&test, "run unified exec", SandboxPolicy::DangerFullAccess).await?;
+    submit_unified_exec_turn(&test, "run unified exec", PermissionProfile::Disabled).await?;

    wait_for_event(&test.codex, |event| {
        matches!(event, EventMsg::TurnComplete(_))
@@ -2457,12 +2467,7 @@ PY
    ];
    let request_log = mount_sse_sequence(&server, responses).await;

-    submit_unified_exec_turn(
-        &test,
-        "exercise lag handling",
-        SandboxPolicy::DangerFullAccess,
-    )
-    .await?;
+    submit_unified_exec_turn(&test, "exercise lag handling", PermissionProfile::Disabled).await?;
    // This is a worst case scenario for the truncate logic, and CI can spend a
    // while draining the lagged tail before the follow-up tool call completes.
    wait_for_event_with_timeout(
@@ -2557,7 +2562,7 @@ async fn unified_exec_timeout_and_followup_poll() -> Result<()> {
    ];
    let request_log = mount_sse_sequence(&server, responses).await;

-    submit_unified_exec_turn(&test, "check timeout", SandboxPolicy::DangerFullAccess).await?;
+    submit_unified_exec_turn(&test, "check timeout", PermissionProfile::Disabled).await?;

    loop {
        let event = test.codex.next_event().await.expect("event");
@@ -2633,12 +2638,7 @@ PY
    ];
    let request_log = mount_sse_sequence(&server, responses).await;

-    submit_unified_exec_turn(
-        &test,
-        "summarize large output",
-        SandboxPolicy::DangerFullAccess,
-    )
-    .await?;
+    submit_unified_exec_turn(&test, "summarize large output", PermissionProfile::Disabled).await?;

    wait_for_event(&test.codex, |event| {
        matches!(event, EventMsg::TurnComplete(_))
@@ -2708,6 +2708,8 @@ async fn unified_exec_runs_under_sandbox() -> Result<()> {
    let request_log = mount_sse_sequence(&server, responses).await;

    let session_model = session_configured.model.clone();
+    let (sandbox_policy, permission_profile) =
+        turn_permission_fields(PermissionProfile::read_only(), cwd.path());

    codex
        .submit(Op::UserTurn {
@@ -2721,8 +2723,8 @@ async fn unified_exec_runs_under_sandbox() -> Result<()> {
            approval_policy: AskForApproval::Never,
            approvals_reviewer: None,
            // Important!
-            sandbox_policy: SandboxPolicy::new_read_only_policy(),
-            permission_profile: None,
+            sandbox_policy,
+            permission_profile,
            model: session_model,
            effort: None,
            summary: None,
@@ -2753,7 +2755,6 @@ async fn unified_exec_runs_under_sandbox() -> Result<()> {
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn unified_exec_enforces_glob_deny_read_policy() -> Result<()> {
    use codex_config::Constrained;
-    use codex_protocol::models::PermissionProfile;
    use codex_protocol::permissions::FileSystemAccessMode;
    use codex_protocol::permissions::FileSystemPath;
    use codex_protocol::permissions::FileSystemSandboxEntry;
@@ -2764,16 +2765,11 @@ async fn unified_exec_enforces_glob_deny_read_policy() -> Result<()> {
    skip_if_sandbox!(Ok(()));

    let server = start_mock_server().await;
-    let read_only_policy = SandboxPolicy::new_read_only_policy();
-    let read_only_policy_for_config = read_only_policy.clone();
    let mut builder = test_codex().with_config(move |config| {
        config
            .features
            .enable(Feature::UnifiedExec)
            .expect("test config should allow feature update");
-        config
-            .set_legacy_sandbox_policy(read_only_policy_for_config)
-            .expect("set sandbox policy");
        let mut file_system_sandbox_policy = FileSystemSandboxPolicy::default();
        file_system_sandbox_policy
            .entries
@@ -2828,6 +2824,8 @@ async fn unified_exec_enforces_glob_deny_read_policy() -> Result<()> {
    let request_log = mount_sse_sequence(&server, responses).await;

    let session_model = session_configured.model.clone();
+    let (sandbox_policy, permission_profile) =
+        turn_permission_fields(session_configured.permission_profile.clone(), cwd.path());
    codex
        .submit(Op::UserTurn {
            environments: None,
@@ -2839,8 +2837,8 @@ async fn unified_exec_enforces_glob_deny_read_policy() -> Result<()> {
            cwd: cwd.path().to_path_buf(),
            approval_policy: AskForApproval::Never,
            approvals_reviewer: None,
-            sandbox_policy: read_only_policy,
-            permission_profile: None,
+            sandbox_policy,
+            permission_profile,
            model: session_model,
            effort: None,
            summary: None,
@@ -2957,6 +2955,8 @@ async fn unified_exec_python_prompt_under_seatbelt() -> Result<()> {
    let request_log = mount_sse_sequence(&server, responses).await;

    let session_model = session_configured.model.clone();
+    let (sandbox_policy, permission_profile) =
+        turn_permission_fields(PermissionProfile::read_only(), cwd.path());

    codex
        .submit(Op::UserTurn {
@@ -2969,8 +2969,8 @@ async fn unified_exec_python_prompt_under_seatbelt() -> Result<()> {
            cwd: cwd.path().to_path_buf(),
            approval_policy: AskForApproval::Never,
            approvals_reviewer: None,
-            sandbox_policy: SandboxPolicy::new_read_only_policy(),
-            permission_profile: None,
+            sandbox_policy,
+            permission_profile,
            model: session_model,
            effort: None,
            summary: None,
@@ -3053,12 +3053,7 @@ async fn unified_exec_runs_on_all_platforms() -> Result<()> {
    ];
    let request_log = mount_sse_sequence(&server, responses).await;

-    submit_unified_exec_turn(
-        &test,
-        "summarize large output",
-        SandboxPolicy::DangerFullAccess,
-    )
-    .await?;
+    submit_unified_exec_turn(&test, "summarize large output", PermissionProfile::Disabled).await?;

    wait_for_event(&test.codex, |event| {
        matches!(event, EventMsg::TurnComplete(_))
@@ -3176,7 +3171,7 @@ async fn unified_exec_prunes_exited_sessions_first() -> Result<()> {
    let response_mock =
        mount_sse_sequence(&server, vec![first_response, completion_response]).await;

-    submit_unified_exec_turn(&test, "fill session cache", SandboxPolicy::DangerFullAccess).await?;
+    submit_unified_exec_turn(&test, "fill session cache", PermissionProfile::Disabled).await?;

    wait_for_event(&test.codex, |event| {
        matches!(event, EventMsg::TurnComplete(_))
--- a/codex-rs/exec-server/src/server/file_system_handler.rs
+++ b/codex-rs/exec-server/src/server/file_system_handler.rs
@@ -173,8 +173,8 @@ fn map_fs_error(err: io::Error) -> JSONRPCErrorError {

 #[cfg(test)]
 mod tests {
-    use codex_protocol::protocol::NetworkAccess;
-    use codex_protocol::protocol::SandboxPolicy;
+    use codex_protocol::models::PermissionProfile;
+    use codex_protocol::permissions::NetworkSandboxPolicy;
    use codex_utils_absolute_path::AbsolutePathBuf;
    use pretty_assertions::assert_eq;

@@ -195,12 +195,12 @@ mod tests {
        let sandbox_cwd =
            AbsolutePathBuf::from_absolute_path(temp_dir.path()).expect("absolute tempdir");

-        for (file_name, sandbox_policy) in [
-            ("danger.txt", SandboxPolicy::DangerFullAccess),
+        for (file_name, permission_profile) in [
+            ("danger.txt", PermissionProfile::Disabled),
            (
                "external.txt",
-                SandboxPolicy::ExternalSandbox {
-                    network_access: NetworkAccess::Restricted,
+                PermissionProfile::External {
+                    network: NetworkSandboxPolicy::Restricted,
                },
            ),
        ] {
@@ -212,8 +212,8 @@ mod tests {
                .write_file(FsWriteFileParams {
                    path: path.clone(),
                    data_base64: STANDARD.encode("ok"),
-                    sandbox: Some(FileSystemSandboxContext::from_legacy_sandbox_policy(
-                        sandbox_policy.clone(),
+                    sandbox: Some(FileSystemSandboxContext::from_permission_profile_with_cwd(
+                        permission_profile.clone(),
                        sandbox_cwd.clone(),
                    )),
                })
@@ -223,8 +223,8 @@ mod tests {
            let response = handler
                .read_file(FsReadFileParams {
                    path,
-                    sandbox: Some(FileSystemSandboxContext::from_legacy_sandbox_policy(
-                        sandbox_policy,
+                    sandbox: Some(FileSystemSandboxContext::from_permission_profile_with_cwd(
+                        permission_profile,
                        sandbox_cwd.clone(),
                    )),
                })
--- a/codex-rs/exec/tests/suite/sandbox.rs
+++ b/codex-rs/exec/tests/suite/sandbox.rs
@@ -1,6 +1,7 @@
 #![cfg(unix)]
 use codex_core::spawn::StdioPolicy;
-use codex_protocol::protocol::SandboxPolicy;
+use codex_protocol::models::PermissionProfile;
+use codex_protocol::permissions::NetworkSandboxPolicy;
 use codex_utils_absolute_path::AbsolutePathBuf;
 use codex_utils_absolute_path::test_support::PathBufExt;
 use std::collections::HashMap;
@@ -14,7 +15,7 @@ use tokio::process::Child;
 async fn spawn_command_under_sandbox(
    command: Vec<String>,
    command_cwd: AbsolutePathBuf,
-    sandbox_policy: &SandboxPolicy,
+    permission_profile: &PermissionProfile,
    sandbox_cwd: &AbsolutePathBuf,
    stdio_policy: StdioPolicy,
    env: HashMap<String, String>,
@@ -24,7 +25,6 @@ async fn spawn_command_under_sandbox(
    use codex_core::exec::build_exec_request;
    use codex_core::sandboxing::SandboxPermissions;
    use codex_protocol::config_types::WindowsSandboxLevel;
-    use codex_protocol::models::PermissionProfile;
    use std::process::Stdio;

    let codex_linux_sandbox_exe = None;
@@ -42,7 +42,7 @@ async fn spawn_command_under_sandbox(
            justification: None,
            arg0: None,
        },
-        &PermissionProfile::from_legacy_sandbox_policy(sandbox_policy),
+        permission_profile,
        sandbox_cwd,
        &codex_linux_sandbox_exe,
        /*use_legacy_landlock*/ false,
@@ -83,22 +83,20 @@ async fn spawn_command_under_sandbox(
 async fn spawn_command_under_sandbox(
    command: Vec<String>,
    command_cwd: AbsolutePathBuf,
-    sandbox_policy: &SandboxPolicy,
+    permission_profile: &PermissionProfile,
    sandbox_cwd: &AbsolutePathBuf,
    stdio_policy: StdioPolicy,
    env: HashMap<String, String>,
 ) -> std::io::Result<Child> {
    use codex_core::spawn_command_under_linux_sandbox;
-    use codex_protocol::models::PermissionProfile;

    let codex_linux_sandbox_exe = core_test_support::find_codex_linux_sandbox_exe()
        .map_err(|err| io::Error::new(io::ErrorKind::NotFound, err))?;
-    let permission_profile = PermissionProfile::from_legacy_sandbox_policy(sandbox_policy);
    spawn_command_under_linux_sandbox(
        codex_linux_sandbox_exe,
        command,
        command_cwd,
-        &permission_profile,
+        permission_profile,
        sandbox_cwd,
        /*use_legacy_landlock*/ false,
        stdio_policy,
@@ -118,9 +116,16 @@ async fn spawn_command_under_sandbox(
 async fn linux_sandbox_test_env() -> Option<HashMap<String, String>> {
    let command_cwd = AbsolutePathBuf::current_dir().ok()?;
    let sandbox_cwd = command_cwd.clone();
-    let policy = SandboxPolicy::new_read_only_policy();
+    let permission_profile = PermissionProfile::read_only();

-    if can_apply_linux_sandbox_policy(&policy, &command_cwd, &sandbox_cwd, HashMap::new()).await {
+    if can_apply_linux_sandbox_policy(
+        &permission_profile,
+        &command_cwd,
+        &sandbox_cwd,
+        HashMap::new(),
+    )
+    .await
+    {
        return Some(HashMap::new());
    }

@@ -135,7 +140,7 @@ async fn linux_sandbox_test_env() -> Option<HashMap<String, String>> {
 /// This is used as a capability probe so sandbox behavior tests only run when
 /// Landlock enforcement is actually active.
 async fn can_apply_linux_sandbox_policy(
-    policy: &SandboxPolicy,
+    permission_profile: &PermissionProfile,
    command_cwd: &AbsolutePathBuf,
    sandbox_cwd: &AbsolutePathBuf,
    env: HashMap<String, String>,
@@ -143,7 +148,7 @@ async fn can_apply_linux_sandbox_policy(
    let spawn_result = spawn_command_under_sandbox(
        vec!["/usr/bin/true".to_string()],
        command_cwd.clone(),
-        policy,
+        permission_profile,
        sandbox_cwd,
        StdioPolicy::RedirectForShellTool,
        env,
@@ -180,12 +185,12 @@ async fn python_multiprocessing_lock_works_under_sandbox() {
    #[cfg(target_os = "linux")]
    let writable_roots: Vec<AbsolutePathBuf> = vec!["/dev/shm".try_into().unwrap()];

-    let policy = SandboxPolicy::WorkspaceWrite {
-        writable_roots,
-        network_access: false,
-        exclude_tmpdir_env_var: false,
-        exclude_slash_tmp: false,
-    };
+    let permission_profile = PermissionProfile::workspace_write_with(
+        &writable_roots,
+        NetworkSandboxPolicy::Restricted,
+        /*exclude_tmpdir_env_var*/ false,
+        /*exclude_slash_tmp*/ false,
+    );

    let python_code = r#"import multiprocessing
 from multiprocessing import Lock, Process
@@ -210,7 +215,7 @@ if __name__ == '__main__':
            python_code.to_string(),
        ],
        command_cwd,
-        &policy,
+        &permission_profile,
        &sandbox_cwd,
        StdioPolicy::Inherit,
        sandbox_env,
@@ -242,7 +247,7 @@ async fn python_getpwuid_works_under_sandbox() {
        return;
    }

-    let policy = SandboxPolicy::new_read_only_policy();
+    let permission_profile = PermissionProfile::read_only();
    let command_cwd = AbsolutePathBuf::current_dir().expect("should be able to get current dir");
    let sandbox_cwd = command_cwd.clone();

@@ -253,7 +258,7 @@ async fn python_getpwuid_works_under_sandbox() {
            "import pwd, os; print(pwd.getpwuid(os.getuid()))".to_string(),
        ],
        command_cwd,
-        &policy,
+        &permission_profile,
        &sandbox_cwd,
        StdioPolicy::RedirectForShellTool,
        sandbox_env,
@@ -294,12 +299,12 @@ async fn sandbox_distinguishes_command_and_policy_cwds() {
    // Note writable_roots is empty: verify that `canonical_allowed_path` is
    // writable only because it is under the sandbox policy cwd, not because it
    // is under a writable root.
-    let policy = SandboxPolicy::WorkspaceWrite {
-        writable_roots: vec![],
-        network_access: false,
-        exclude_tmpdir_env_var: true,
-        exclude_slash_tmp: true,
-    };
+    let permission_profile = PermissionProfile::workspace_write_with(
+        &[],
+        NetworkSandboxPolicy::Restricted,
+        /*exclude_tmpdir_env_var*/ true,
+        /*exclude_slash_tmp*/ true,
+    );

    // Attempt to write inside the command cwd, which is outside of the sandbox policy cwd.
    let mut child = spawn_command_under_sandbox(
@@ -309,7 +314,7 @@ async fn sandbox_distinguishes_command_and_policy_cwds() {
            "echo forbidden > forbidden.txt".to_string(),
        ],
        command_root.clone(),
-        &policy,
+        &permission_profile,
        &canonical_sandbox_root,
        StdioPolicy::Inherit,
        sandbox_env.clone(),
@@ -340,7 +345,7 @@ async fn sandbox_distinguishes_command_and_policy_cwds() {
            canonical_allowed_path.to_string_lossy().into_owned(),
        ],
        command_root,
-        &policy,
+        &permission_profile,
        &canonical_sandbox_root,
        StdioPolicy::Inherit,
        sandbox_env,
@@ -375,12 +380,12 @@ async fn sandbox_blocks_first_time_dot_codex_creation() {
    create_dir_all(&repo_root).await.expect("mkdir repo");
    let dot_codex = repo_root.join(".codex");
    let config_toml = dot_codex.join("config.toml");
-    let policy = SandboxPolicy::WorkspaceWrite {
-        writable_roots: vec![],
-        network_access: false,
-        exclude_tmpdir_env_var: true,
-        exclude_slash_tmp: true,
-    };
+    let permission_profile = PermissionProfile::workspace_write_with(
+        &[],
+        NetworkSandboxPolicy::Restricted,
+        /*exclude_tmpdir_env_var*/ true,
+        /*exclude_slash_tmp*/ true,
+    );

    let mut child = spawn_command_under_sandbox(
        vec![
@@ -390,7 +395,7 @@ async fn sandbox_blocks_first_time_dot_codex_creation() {
                .to_string(),
        ],
        repo_root.clone(),
-        &policy,
+        &permission_profile,
        &repo_root,
        StdioPolicy::RedirectForShellTool,
        sandbox_env,
@@ -507,7 +512,7 @@ fn unix_sock_body() {
 async fn allow_unix_socketpair_recvfrom() {
    run_code_under_sandbox(
        "allow_unix_socketpair_recvfrom",
-        &SandboxPolicy::new_read_only_policy(),
+        &PermissionProfile::read_only(),
        || async { unix_sock_body() },
    )
    .await
@@ -519,7 +524,7 @@ const IN_SANDBOX_ENV_VAR: &str = "IN_SANDBOX";
 #[expect(clippy::expect_used)]
 pub async fn run_code_under_sandbox<F, Fut>(
    test_selector: &str,
-    policy: &SandboxPolicy,
+    permission_profile: &PermissionProfile,
    child_body: F,
 ) -> io::Result<Option<ExitStatus>>
 where
@@ -544,7 +549,7 @@ where
        let mut child = spawn_command_under_sandbox(
            cmds,
            command_cwd,
-            policy,
+            permission_profile,
            &sandbox_cwd,
            stdio_policy,
            HashMap::from([("IN_SANDBOX".into(), "1".into())]),
--- a/codex-rs/memories/write/src/phase2.rs
+++ b/codex-rs/memories/write/src/phase2.rs
@@ -17,9 +17,10 @@ use codex_config::Constrained;
 use codex_core::config::Config;
 use codex_features::Feature;
 use codex_protocol::ThreadId;
+use codex_protocol::models::PermissionProfile;
+use codex_protocol::permissions::NetworkSandboxPolicy;
 use codex_protocol::protocol::AgentStatus;
 use codex_protocol::protocol::AskForApproval;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::TokenUsage;
 use codex_protocol::user_input::UserInput;
 use codex_state::Stage1Output;
@@ -315,18 +316,16 @@ mod agent {
            .features
            .disable(Feature::SkillMcpDependencyInstall);

-        // Sandbox policy
-        let writable_roots = vec![root];
        // The consolidation agent only needs local memory-root write access and no network.
-        let consolidation_sandbox_policy = SandboxPolicy::WorkspaceWrite {
-            writable_roots,
-            network_access: false,
-            exclude_tmpdir_env_var: true,
-            exclude_slash_tmp: true,
-        };
+        let permission_profile = PermissionProfile::workspace_write_with(
+            std::slice::from_ref(&root),
+            NetworkSandboxPolicy::Restricted,
+            /*exclude_tmpdir_env_var*/ true,
+            /*exclude_slash_tmp*/ true,
+        );
        agent_config
            .permissions
-            .set_legacy_sandbox_policy(consolidation_sandbox_policy, agent_config.cwd.as_path())
+            .set_permission_profile(permission_profile)
            .ok()?;

        agent_config.model = Some(
Author	SHA1	Message	Date
Michael Bolin	521cf5bdd4	tests: use permission profiles in unified exec suite	2026-04-30 03:01:06 -07:00
Michael Bolin	57094ee86d	core: use permission profiles in small read-only contexts	2026-04-30 03:01:06 -07:00
Michael Bolin	550adee585	exec tests: launch sandbox cases from permission profiles	2026-04-30 02:36:30 -07:00
Michael Bolin	200c83f7d7	tests: use permission profiles in suite turn submits	2026-04-30 02:36:30 -07:00
Michael Bolin	cfeaa5aab1	guardian: configure review session permissions directly	2026-04-30 02:36:30 -07:00
Michael Bolin	75c9c98aed	tests: use permission profiles in small core fixtures	2026-04-30 02:36:30 -07:00
Michael Bolin	d2e3e3613b	exec-server: use permission profiles in file system handler tests	2026-04-30 02:36:30 -07:00
Michael Bolin	57f895a7c0	memories: configure consolidation permissions directly	2026-04-30 02:36:30 -07:00
Michael Bolin	0cc3264ed4	analytics: distinguish custom managed permission profiles	2026-04-30 02:36:30 -07:00
Michael Bolin	05d341f0d4	tests: use permission profiles in guardian config checks	2026-04-30 02:36:30 -07:00
Michael Bolin	d53c86e0da	tests: use permission profiles in unix escalation checks	2026-04-30 02:36:30 -07:00